Improved anonymity preserving three-party mutual authentication key exchange protocol based on chaotic maps

Three-party authentication key exchange is a protocol that allows two users to set up a session key for encrypted communication by the help of a trusted remote server. Providing user anonymity and mutual authentication in the authentication key exchange is important security requirements to protect users’ privacy and enhance its security performance. Recently Li proposed a chaotic maps-based authentication key exchange protocol which attempts to provide mutual authentication and user anonymity, but we found that there were some faults in the key exchange phase and password change phase of his scheme. We prove that Li’s scheme does not provide user anonymity and that the user’s privacy information is disclosed, and propose enhanced three-party authentication key exchange protocol that provides user anonymity and we analyse its security properties and verify its validity based on BAN logic and AVISPA tool.


Introduction
Authentication key exchange is one of the important issues to ensure the confidentiality of network security as a way of sharing the session key to perform encryption communication between communication parties in public network.

Related work
Password-based authentication key exchange is a traditional method, and many researchers have proposed password-based authentication key exchange methods [6-13, 16, 20, 34]. However, several security disadvantages have been revealed in the authentication key exchange scheme using only passwords.
Tallapally [6] proposed a simple 3PAKE protocol based on password in wireless communication networks, however, Farash [7] has revealed that Lu's scheme cannot detect online and offline password guessing attacks, and he has improved their scheme, but his scheme was also found to be vulnerable to offline password guessing attacks by Lu [8]. Lu proposed an improved scheme, but his scheme was still vulnerable to offline password guessing attacks [9].
Youn [10] proposed a 3PAKE protocol based on password and exponential operation. However, Heydari [11] pointed out that Youn's scheme is vulnerable to user impersonate attack. Heydari proposed a modified 3PAKE protocol that overcame the limitations of the Youn's scheme. However, his scheme also does not provide user anonymity because user's identity is disclosed in the key exchange phase. Lin et al. [12] proposed verifier-based 3PAKE with low computational cost and transfer cost based on password and modulator exponential operation. However, Chiou [13] pointed out that Lin's scheme does not provide anonymity and untraceability and is not computationally efficient, and proposed 3PAKE that provides anonymity and untraceability by implementing message encryption with long term key. However, since his scheme also performs key exchange [45] based on modular exponential operation, the computation is still not efficient.
Researchers used the Elliptic Curve Cryptography (ECC) [46] and Chebyshev Chaotic Maps (CCM) [47,48] much more efficient compared to modular exponential operations. ECC encryption is fast because of its much smaller key length at the same encryption intensity compared to modular exponential operations. Chebyshev Chaotic Maps has a lower public parameter for encryption compared to ECC and is simple to implement and is convenient to apply in portable terminal-system environments.
Wu [14] proposed a key agreement scheme for mobile user roaming service in global mobility networks based on ECC. In his scheme user's dynamic identity is updated in each session. However, Gupta [15] pointed out that Wu's scheme fails to support untraceability and it has inefficient typo-detection.
Xie [16] proposed a 3PAKE protocol based on chaotic maps with user password. However, Lee [17] found that Xie's scheme is vulnerable to offline password guessing attacks and does not provide user anonymity, and proposed a 3PAKE protocol that does not use passwords that overcome their shortcomings. In Lee's scheme, user privacy is generated by combining the server's secret key and the user's identification, it is used to authenticate the corresponding user. However, Xie [18] found that Lee's scheme is vulnerable to user impersonate attacks, and Jabbari [19] showed that Lee's scheme is vulnerable to internal user impersonate attacks and does not provide anonymity.
Farash [20] proposed 3PAKE based on Chebyshev chaotic maps with user password. In his scheme user authentication verifier is generated by combining server privacy with user's identifier and user's password. However, Xie [21] and Li [22] found that Farashi's scheme is capable of user impersonate attacks and offline password guessing attacks. Xie proposed an updated scheme based on chaotic maps overcoming the disadvantages of Farashi's scheme. However, his scheme was also found by Lu [23] that offline password guessing attacks and user impersonate attacks are possible and user anonymity is not provided. Lu's scheme encrypts a message with a secret key generated from the server's public key based on the chaotic map to provide anonymity. However, his scheme has defects in protocol design [24].
To overcome the disadvantages of user authentication using passwords, researchers proposed 3PAKE protocols that combine smart card and biometric with user's password to authenticate user.
proposed by Xue [26] and Chuang [37] and proposed an improved lightweight authentication scheme. His scheme provided anonymity using smart cards and passwords without public key encryption.
In 2018, Wei [38] also proposed a 3PAKE protocol that provides anonymity without public-key cryptography to reduce computational cost. In 2019, Yang [39] proposed a lightweight 3PAKE protocol that provides perfect forward security using only XOR and hash functions in a WSN environment.

Motivation and our contribution
The authentication scheme with password, smart card and biometric is effective in systems that require high security performance. However, most schemes using smart cards are vulnerable to stolen smart card attacks [26,28,32], and most schemes are vulnerable to some known attacks.
It is still a challenge for researchers to design protocols that are secure against various attacks in various environments while providing anonymity and untraceability. Many schemes attempted to provide anonymity and traceability, but failed [12,14,17,20,23,32,43].
Recently, in 2018, Li [38] proposed a chaotic maps-based 3-PAKE that provides anonymity with password and smart cards. In his scheme, users share user's credentials related to user's identity, user's password and server's secret with the server, and chaotic maps is used for exchanging session key. He also used modulo square operations and square root operations based on Chinese Remainder Theorem to encrypt the message providing anonymity and untraceability. However, there are drawbacks in his protocol.
We have analysed the disadvantages of the Li's scheme and demonstrated that the user's authentication verifier is disclosed by an internal attacker, providing anonymity is failed and that the password modification is not successful by blocking attacks in the password change phase. We design an enhanced 3PAKE protocol that overcomes several security disadvantages of Li's scheme, and is resistant to various attacks. In this paper, we propose a strong mutual authentication between server and users to overcome insider attacks, and a re-registration phase that allows users to re-register without altering their identity. Then, we analyse the security properties of our scheme and verify its validity using Ban-Logic [49] and AVISPA [50] tools and show the results of comparative analysis with previous works.

The property of Chebyshev polynomials
Chebyshev polynomials have the following two properties [47,48].

Computational problems based on Chebyshev polynomials
CDLP (Chaotic maps-based Discrete Logarithm problem): For given two real numbers α and β, it is infeasible to find the integer n by any polynomial time bounded algorithm, where β = T n (α) mod p [48]. CDHP (Chaotic maps-based Diffie-Hellman problem): For given three elements α, T m (α) mod p and T n (α) mod p, it is infeasible to compute the value T mn (α) mod p by any polynomial time bounded algorithm [48].

Bio-hashing and Fuzzy Extractor function
Biometric indicators have an advantage over traditional user identification methods, because these have some inherent attributes that cannot be easily shared and every person has unique biometric-attributes [51]. Generally, imprint biometric characteristics (face, fingerprint, palmprint etc.) may not be exactly same at each time since it might be change at some environment. To solve this problem, Lumini et al. [52] proposed and updated Bio-hashing, which is used to map a user's biometric features to a user-specific random vectors. Recently many researchers [3,24] have proposed authentication key exchange schemes based on Bio-Hashing.
Dodis et al. [53] proposed a scheme based on Fuzzy Extractor, which consists of two functions (Rep, Gen). The function Gen extracts biometric input B and outputs a nearly random binary string R and an auxiliary binary string P. Then function Rep recovers R with the corresponding auxiliary string P and biometric B � . If dist (B, B � ) ≦ t and Gen(B) -> <R, P>, then we have Rep (B � , P) = R. Fuzzy Extractor is also used in many authentication schemes [1,3,4,30,32,33].
The Dolev-Yao attacker model defines the ability of an attacker in the public channel, and the side-channel technology enables an attacker to extract data stored in a smart card based on reverse engineering and power analysis [57,58]. Also, the password guessing attack enables an attacker to guess a password from the information related to the user's password under the premise that the entropy of the password is low. An insider attacker is a legitimate user in the system and performs malicious actions.
In this subsection, the adversary model for security analysis of the previous work and the proposed scheme is described as follows.
1. An adversary can eavesdrop, modify, remove, block, and retransmit all messages sent on the public channel [54] and cannot access messages sent on the secure channel.
2. An adversary can extract all stored data from a lost or stolen smart card based on side channel technology [55,57,58].
3. An attacker can easily guess the user identity or password after obtaining information from an intelligent card or public channel according to [56].
4. An adversary can be a legitimate but malicious user or server in the system [4,33].

Review of Li et al.'s scheme
This section shows that the scheme proposed by Li et al. [22] has some deficiencies. Li designed three-party password-based authentication key exchange protocol based on chaotic maps providing user anonymity. In his scheme, the information related to user's password is registered with the server side. Also a modular squaring operation and a square root modulo based on the Chinese Remainder Theorem is used for user anonymity. However, his scheme has some faults in the session key exchange phase and the password change phase. Below is a brief description of the scheme proposed by Li et al. and its deficiencies.

Li et al.'s scheme
Notations used in his paper. Step 2: Upon receiving the message from the user, S computes Step 3: The user stores rm i into his end-user device.
Authentication and key exchange.
Step 1 The user A chooses a random number r A 2 [1, Step 2 Upon receiving Step 3 Upon receiving Step 4 Upon receiving Step A5: Step A6 After receiving Step A7 After receiving If they are valid, A and S are authenticated by B. Finally, A computes the session key Password change phase.
Step 1 The user A chooses a random number Step 2 Upon receiving Step 3 Upon receiving C 2 from S, � as the new password and replaces rm A with rm A � in his end-user device. Otherwise, A returns to Step 1 and follows the process. If the message is C 5 , A returns to Step 1 with another new password and follows the process.

Faults of Li et al.'s scheme
Many attack models [54][55][56][57][58] have been proposed by researchers and based on them, cryptographic protocols [25,33,34,38,59,60] have been analysed. Based on the adversary model presented in Section 2.6, we analyse Li et al.' scheme. According to the adversary model, the adversary can eavesdrop and block all message sent on the public channel and he can be a legitimate user in the system. In this paper, we call such an adversary an insider adversary.
Verifier disclosure attacks. Li et al.'s scheme has a faults that user's authentication verifier is disclosed to the insider adversary in the authentication and key exchange phase. In his The details of verifier disclosure attack in his scheme are described as follows.
Step 1. In order to exchange a session key with a legal user A, an inside adversary C chooses a random number r C 2 [1, p + 1] and computes R C = T rC (α) mod p, PW C = T pwC (α) mod p and h(rm C , PW C ), where rm C is retrieved from his end-user device. Then C sends Step 2. Upon receiving then S continues next step. S chooses two random numbers r S1 , r S2 2 [1, p + 1] and computes R S1 Step 3. At this time, C intercepts M 2 = {μ C � , R C � , R S2 � } and computes as follows: As the result, C can obtain A's authentication verifier h(rm A , PW A ). In this way, C can obtain all of legal users' authentication verifier. If an insider adversary wants to get an authentication verifier of user A, it is necessary to generate a message M 1 for exchanging session key with user A according to the designed protocol, send it to the server, intercept the message M 2 from the server, and then compute it according to the procedure shown above.
User impersonate attacks. As shown above, since an insider adversary C can obtain any of legal users' authentication verifier through verifier disclosure attack, he can impersonate as any legal user.
If an insider adversary C wants to impersonate as a legal user A and communicate with B, he obtains the user A's authentication verifier V A = h(rm A , PW A ) through the verifier disclosure attack as shown above before the authentication and key exchange phases.
In the authentication and key exchange phase, C works as follows Step 1. C chooses a random number r C 2 [1, p + 1] and computes R C = T rC (α) mod p. After that, he can sufficiently make the message The process in steps 2, 3 and 4 is performed according to the protocol, B computes K BA The process in steps 6 and 7 is performed according to the protocol, B computes SK BA . As the result, C can successfully impersonate as the user A. Failure of user anonymity. An insider adversary C can obtain all of legal users' authentication verifier through verifier disclosure attack as shown above. That is, C knows the authentication identifier V i of any user U i . When a legal user A exchanges a session key with a legal user B, an insider adversary C can intercept M 2 = {μ A , R A , R S2 } that S sends to B and then computes as follows: For each authentication verifier V i of user U i , C repeat the following calculation until U A � and U i are equal.
If U A � and U i are equal, C can know that current user's identifier is U i . As the result, C can know user A's identifier U A . Weaknesses of password change phase. In the Li et al. 's scheme, the information related to the user's password is registered with the remote server and users can change their password in the password change phase. In the registration phase, the information related to the user U i 's password stored on the server is

is user authentication verifier) and this information is replaced with VP
in the password change phase. However, an attacker can block the message C 3 (user's request) and C 4 or C 5 (server's response) in Step 4 of the password change phase, then the user cannot know whether his password is successfully changed or not. In this case, if the scheme decides that does not change user's password, the attacker blocks the message C 4 or C 5 , if the scheme decides that changes user's password, the attacker blocks the message C 3 . As the result, the user's authentication verifier is different with the server's one, the user cannot login to the server no more.

Proposed scheme
This section describes an enhanced 3PAKE protocol using smart card that overcomes the limitations of the Li et al.'s scheme. The proposed scheme has five phases: system initialization phase, registration phase, authentication and session key exchange phase, password change phase, and renew registration phase. Table 2 shows some notations used to describe the proposed schemes.

System initialization phase
1. S selects his secret key k s 2 [1, p+1] and computes public key P s = T ks (α).  User A sends his identifier U A to S via secure channel. S retrieves U A in the user registration table to check whether user A has already been registered. If U A does not exist in the user   Step 1. User A connects his smart card SC A to the user end-device and inputs his identifier U A , password pw A and biometrics bm A . SC A computes  Step 4. After receiving M 3 = {V AS � , N S � } from A, B connects his smart card SC B to the user end-device and inputs his identifier U B , password pw B and biometrics bm B . SC B computes

PLOS ONE
Three-party mutual authentication key exchange S aborts the process. Otherwise S authenticates A and B, and chooses a random number R S , then computes Step 6. After receiving M 5 aborts the process. Otherwise B authenticates S and A, and then computes Step 7. After receiving aborts the process. Otherwise B authenticates A and sets K BA as a session key.

Password change phase
User A connects his smart card SC A to the user end-device and inputs his identifier U A , password and biometrics bm A .

Re-registration phase
When a user registered with the server has lost or stolen his smart card, he needs to re-register with the server. But, some schemes [19,22,23] have not the re-registration phase or cannot reregister without changing his identifier, because the user's secret consists of user's identifier and server's secret.
In the proposed scheme, as the user's secret X A consists of user's identifier, random number and server's secret, users can re-register with the remote server without changing his identifier.
If a user wants to re-register with the server, he should only send his identifier to the server and register with the server following the proposed registration phase scheme.
User A sends his identifier U A to S via secure channel. S retrieves U A in the user registration ) and stores {p, α, P s , GX A , GK A , F A , T n (�), H(�), E K (�), D K (�)} in his memory.

Security analysis of the proposed scheme
In this section, we present an informal analysis and formal verification of the proposed scheme.
For formal analysis, we first use the BAN logic [49] to verify the mutual authentication property and the validation of the established session key of the proposed scheme, and we next use AVISPA (Automated validation of internet security protocol and application) toolkit [50] to verify the resistance of the proposed scheme against the passive and active attacks including man-in-the-middle and replay attacks.
Last, we demonstrate the proposed scheme can resist various kinds of attacks and provides various security properties through informal security analysis.

Authentication proof based on BAN logic
Notations and rules. Table 3 shows some notations and rules defined in BAN logic [49]. Goals. We establish the following goals to prove that our scheme provides strong mutual authentication and the established session key is secure. Table 3. Shows some notations and rules of BAN logic.

Notation Description
P |� X P believes X P ⊲ X P sees X P |* X P once said X P |) X P has jurisdiction over X Idealize. We idealize the messages of the proposed scheme as follows: Assumptions. The initial assumptions of the proposed scheme are as follows: Analysis. According to M AS and A S3 , we apply the Message-meaning rule (R 1 ) and Hash function rule(R 8 ), we can obtain: According to M 2 and A A4 , we apply the Message-meaning rule (R 1 ) and Hash function rule (R 8 ), we can obtain: According to M 2 , Freshness rule(R 4 ) and A A2 , we can obtain: According to S 2 and S 3 , we apply the Nonce-verification rule (R 2 ) and Belief rule(R 5 ), we can obtain: According to M 3 , A S3 and S 1 , we apply the Message-meaning rule (R 1 ) and Hash function rule(R 8 ), we can obtain: According to M 3 , Freshness rule(R 4 ) and A S2 , we can obtain: According to S 5 and S 6 , we apply the Nonce-verification rule (R 2 ) and Belief rule(R 5 ), we can obtain: According to M BS and A S4 , we apply the Message-meaning rule (R 1 ) and Hash function rule (R 8 ), we can obtain: According to M BS , Freshness rule(R 4 ) and A S2 , we can obtain: According to S 8 and S 9 , we apply the Nonce-verification rule (R 2 ) and Belief rule(R 5 ), we can obtain: According to M SB and A B4 , we apply the Message-meaning rule (R 1 ) and Hash function rule(R 8 ), we can obtain: According to M SB , Freshness rule(R 4 ) and A B2 , we can obtain: According to S 11 and S 12 , we apply the Nonce-verification rule (R 2 ) and Belief rule(R 5 ), we can obtain: According to S 13 and A B6 , we apply the Jurisdiction rule (R 3 ), we can obtain:

Validation test based on AVISPA
In this section, we simulate the proposed scheme for the formal security analysis using AVISPA. The AVISPA tool provides the role based HLPSL (High-Level Protocol Specification Language) for specification of protocols and security properties and four back-ends: OFMC (On-the-fly Model-Checker), CL-AtSe(Constraint-Logic-based Attack Searcher), SATMC (SAT-based ModelChecker) and TA4SP(Tree Automata-based Protocol Analyzer), which are used to identify active and inactive attacks on the protocol such as Man-In-The-Middle attack and replay attack, and to analyse various security properties of the protocol, such as key security and authentication [25,50].
In order to verify the security properties of the protocol using AVISPA, it needs to be specified in HLPSL (High Level Protocol Specification Language).
Specifying the proposed protocol. There are three participants in the proposed protocol: server S and two users A, B. Figs 3-5 shows the specifications in HLPSL for the role of users A, B, and server S.
In Fig 6, we show the HLPSL implementation for the role of the session, environment and goal.
In our implementation, we verified the six secrecy goals containing the user anonymity and the user's secret preserving and seven authentication properties for the mutual authentication.
Analysis of the results. We have simulated the proposed scheme using FMC and CL-AtSe back-ends of AVISPA. The simulation results of the security verification are shown in Figs 7 and 8.
The results ensure that the proposed scheme is secure under the test of AVISPA using OFMC and CL-AtSe back-ends, and guarantees user anonymity and provides with mutual authentication, and it is also secure against the passive attacks and the active attacks, such as the replay attack and man-in-the-middle attack.

Informal security analysis
In this section, we demonstrate that the proposed scheme can resist various kinds of attacks and provides various security properties such as mutual authentication, user anonymity, untraceability and so on.
Mutual authentication. Mutual authentication is a key feature of the authenticated key agreement protocol. The proposed scheme achieves strong mutual authentication. In the proposed scheme, X i is a shared secret between the server S and the user U i in the registration phase. Also, N s is a nonce of the server S, and a, b are secrets generated by user A and user B for generating a session key and these are also used as the nonce.
In the Step5 of the authentication and key exchange phase, the server S receives the message User anonymity. The proposed scheme guarantees user anonymity. The messages (M AS , M BS , M SA and M SB ) associated with the user's identifier are encrypted with the secret key, which is only known for each participant. For example, M AS is encrypted with the secret key K AS , which is calculated as follows: K AS = T a (T s (x)) = T s (T a (x)), where the random number a is only known for the user A and the secret key s is only known for the server S. Then, the encryption keys K AS and K BS are all computed from the random numbers a and b generated by user A and B, so that different messages are exchanged in different sessions. Other messages also contain a random number in different sessions, so that they are presented random bit arrays in each sessions.
Therefore, the proposed protocol provides untraceability.

Off-line password guessing attack
The proposed scheme is secure against the password guessing attack.
In the proposed scheme, user's password is used for accessing the smart card and the information related to it does not disclose in public channel.
The information stored in the user A's smart card is {p, α, P s , G A , F A , T n (�), H(�), E K (�), D K (�)}, and the information related to the user's password is G A = H(U A ||pw A ||h(bm A ))�X A and F A = H(U A ||pw A ||h(bm A ) ||X A ). Suppose that an attacker steals user A's smart card SC A and knows his identifier U A . In order to guess the user A's password, the attacker must com- However, as the attacker cannot know h(bm A ), he cannot compute PR A � . Therefore, the attacker cannot guess the user's password.
Privileged insider attack. The proposed scheme is secure against the privileged-insider attack. In the proposed scheme, user's password is not transmitted to the server S and the privilege insider of the server cannot know the user's password. Therefore, the proposed scheme is secure against this attack.
Stolen verifier attack. The proposed scheme is secure against stolen verifier attack. In the registration phase of the proposed scheme, the server stores a tuple {U A , N a } into his user register-table, where U A is user A's identifier and N a is a random number selected by the server. These are not sensitive to authenticate the user. Therefore, the proposed scheme is secure against stolen verifier attack.
User impersonate attack. The proposed scheme is secure against the user impersonate attack.
The user impersonate attack is only possible in the scheme which can't provide a certain authentication. For example, if a participant X can't authenticate a participant Y, an attacker can impersonate as Y. As shows the above, the proposed scheme achieves certain mutual authentication. In the Step5, the server S certainly authenticates A and B with his nonce N S and the user's secret X A and X B . If an attacker wants to impersonate as the user A, he must compute , but he doesn't know the user A's secret X A = H(U A ||N a ||k s ) and could not compute it (Because k s is the server's secret key), so he cannot compute V A or V AS and cannot impersonate as the user A. As the same, an attacker cannot impersonate as the user B.
Man-in-the-middle attack. As shows the above, the proposed scheme achieves certain mutual authentication, so an attacker cannot impersonate as the initiator A and the responder B, and cannot achieve the man-in-the-middle attack.
If an attacker wants to achieve a man-in-the-middle attack, he must exchange a session key K AB � = H(T AB ||R S � ) with users A and B. Suppose that an attacker generates a random number b � and R S � to exchange the session key with user A, computes T AB That is, the proposed scheme is resistant to man-in-the-middle attack. Table 6 shows the comparison of the communication overhead of our proposed scheme and other 3PAKE schemes. As shown Table 6, our proposed scheme has many message rounds and its communication overhead is higher than other schemes. Table 7 shows the comparative evaluation of the security function between the proposed scheme and other 3PAKE schemes.
As shown in Table 7, the proposed scheme outperforms the other schemes in terms of the security functions presented.
Irshad's scheme has lower communication overhead and computational cost than the proposed scheme, but it does not provide untraceability and re-registration phase.
Jabbari's scheme has higher communication overhead and more expensive computational costs than ours and it does not provide re-registration phase.
Li's scheme has lower communication overhead than ours, but it has more expensive computational costs and his scheme attempted to provide user anonymity, but did not achieve it. His scheme is also vulnerable to the verifier disclose attack, user impersonate attack and stolen verifier attack and it has faults in password change phase. Lu's scheme has lower communication overhead than ours, but it has more expensive computational costs and his scheme does not provide user anonymity, untraceability and reregistration phase.

Conclusion and future work
In this paper, we have analysed the Li et al.'s scheme and proved that his scheme has some faults, and proposed an enhanced three-party mutual authentication key exchange(3PMAKE) protocol based on chaotic maps using smart card to provide with user anonymity and untraceability in the environment for user-to-user communication. The proposed scheme provides strong mutual authentication between servers and users without using timestamp, can be reregistered to the system without changing the user's identifier. The proposed scheme also provides anonymity and untraceability and is secure against several attacks such as user impersonate attacks, privileged insider attacks, stolen verifier attacks. In addition, we have formally analysed the security properties of proposed scheme and verified their validity based on BAN logic and AVISPA tool, and proved that the proposed scheme is secure against various attacks through informal security analysis.
The proposed scheme is designed to provide strong mutual authentication between communication participants without a timestamp, so the number of message exchanges and communication overhead are relatively high. In addition, since key exchange is performed based on chaotic-maps, the security performance of the proposed scheme is enhanced, but has the limitation of increasing computational cost compared to lightweight schemes that do not use public key encryption. The proposed method is suitable for systems that have to provide stronger security properties in environments where timestamp is not available and there is no restriction on communication overhead.
In the future, we will investigate more improved authentication key exchanges in IoT or WSN environments that requires lightweight scheme in terms of communication overhead or computational cost. That is, instead of public key encryption, we only use hash functions to reduce the computational cost of key exchange and reduce the communication overhead.